Archive

Pass arguments between two searches, different sources

Path Finder

I am trying to perform a "for loop" splunk style, with two sources: source1 , source2. The searches right now looks like this:

1. source="source1" param1=value1 param2=value2 | stats values(token). I need the token for the next :

2. source="source2" param4="*" token

I tried ( but returns error: "Error in 'map': Did not find value for required attribute 'token":

source="source1" param1=value1 param2=value2 | stats values(token) | 
map maxsearches=10 search="search source="source2" param4="*"  token=$token$ | 
stats values(param4) by token "

Where am I wrong, and is there a way to optimize this ?
I tried source1 OR source2, but then I need multiple OR ( AND ( OR))) clauses to match multiple needed parameters.

Thanks in advance,

0 Karma

Path Finder

The working solution looks like this (note, results may vary, depending on what fields you have extracted) :

index=common_index  source=source2 param5 param4="*"  
[ 
  search index=common_index source=source1 param1=value1 param2=value2  
|stats values(token) as omg 
|rename omg as query 
] 
| stats values(param4) by token

This thing returns results like so :

param4_value1  token1
param4_value2  token2
param4_value2  token3

etc. 

martin_mueller, thanks one more time for helping 🙂

0 Karma

SplunkTrust
SplunkTrust

You're basically trying to use results from one search to filter the next? No problem with subsearches:

source="source2" param4="*" [search source="source1" param1=value1 param2=value2 | fields token | dedup token]

Open the job inspector to see the expression being returned by the subsearch, it'll be a huge ((OR))-behemoth.

SplunkTrust
SplunkTrust

Do post the exact search you're running and the debug info shown at the top of the job inspector.

0 Karma

SplunkTrust
SplunkTrust

That's exactly what the search-subsearch combo in my answer does.

0 Karma

Path Finder

The " [ inner search ] " returns the token alright , however it seems that the outer one doesn't understand the token provided ... I accepted your answer, as it seems the problem is related to my splunk instance 🙂

0 Karma

SplunkTrust
SplunkTrust

Do both sources have an extracted field token?

0 Karma

Path Finder

Sorry for the delay.
Yes, both searches have "token" extracted.
I can manually perform search1- copy/paste "token" in search2, but I'd like to automate.

0 Karma

Path Finder

True, but your way doesn't seem to be working.

The way I tried to do it , search 1 would return a list or single token like so:

tok_en1
tok_en2

What search 2 does is, foreach tok_en* get logged error message. It seems I need more time

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!